Store Goose
Features Request Demo

Data Processing Agreement (DPA)

Last Updated: 25th Aug 2025
This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Terms and Conditions or other written agreement (“Principal Agreement”) between:
Customer ("Controller"), who subscribes to StoreGoose's services; and
StoreGoose ("Processor"), who provides software-as-a-service for storage unit management.
Together, the parties agree as follows:
1. Definitions
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Controller” means the Customer who determines the purposes and means of processing Personal Data.
  • “Processor” means StoreGoose, who processes Personal Data on behalf of the Controller.
  • “Data Subject” means the individual whose Personal Data is processed (e.g., storage tenants).
  • “Sub-processor” means any third party engaged by the Processor to assist in processing Personal Data.
2. Subject Matter and Duration
  • 2.1 This Agreement governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the Principal Agreement.
  • 2.2 Processing will continue for the duration of the Controller’s use of the Service or until termination of the Principal Agreement.
3. Nature and Purpose of Processing
  • Processor will process Personal Data solely for the purpose of providing storage unit management services, including but not limited to:
  • Tenant and contract management
  • Billing and payment processing (via Stripe)
  • Reservation management
  • Communication with tenants
  • Reporting and analytics
4. Categories of Data Subjects and Data
  • Data Subjects: Storage unit tenants, employees, and representatives of the Controller.
  • Personal Data Processed: Names, addresses, email addresses, phone numbers, billing/payment details (processed through Stripe), rental agreements, and other data input by the Controller.
5. Processor’s Obligations
  • Processor agrees to:
  • Process Personal Data only on documented instructions from the Controller.
  • Ensure personnel authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist the Controller in fulfilling obligations to respond to data subject requests.
  • Notify the Controller without undue delay after becoming aware of a Personal Data breach.
  • Make available information necessary to demonstrate compliance with this Agreement.
6. Sub-Processing
  • 6.1 The Controller authorizes Processor to use Sub-processors to provide the Service (e.g., hosting providers, payment processors like Stripe).
  • 6.2 Processor shall ensure Sub-processors are bound by written agreements requiring equivalent data protection obligations.
  • 6.3 A list of current Sub-processors is available here. Processor will provide notice of any intended changes, giving Controller the opportunity to object.
7. Controller’s Obligations
  • The Controller agrees to:
  • Ensure it has the right to transfer and lawfully process Personal Data through the Service.
  • Provide accurate and lawful instructions to the Processor.
  • Comply with applicable data protection laws regarding its role as Controller.
8. International Transfers
  • Where Personal Data is transferred outside the EEA, UK, or other regions with data transfer restrictions, Processor shall ensure appropriate safeguards (e.g., Standard Contractual Clauses) are in place.
9. Data Subject Rights
  • Processor will, to the extent legally permitted, assist the Controller in responding to data subject requests (e.g., access, correction, deletion, portability).
10. Data Breach Notification
  • In the event of a Personal Data breach, Processor will notify the Controller without undue delay and provide reasonable assistance to enable the Controller to comply with legal obligations.
11. Termination and Data Return
  • Upon termination of the Principal Agreement, Processor will, at Controller’s request, delete or return all Personal Data, unless retention is required by law.
12. Liability
  • The liability provisions of the Principal Agreement apply to this DPA. Nothing in this DPA limits either party’s liability under applicable data protection laws.
13. Governing Law and Jurisdiction
  • This Agreement shall be governed by and construed in accordance with the laws of England and Wales. Disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
14. Contact
  • For data protection inquiries:
  • StoreGoose – Data Protection Officer
  • hello@storegoose.com
Annex A: Technical and Organizational Measures
  • Processor implements, at a minimum:
  • Data encryption in transit and at rest
  • Access controls and authentication measures
  • Regular security monitoring and audits
  • Data backup and recovery procedures
  • Employee confidentiality and security training